It would be fantastic if Age (or at least something similar) could become standard on Unix machines. I'd love a more Unix-philosophy following tool than GPG/PGP to be around for encryption. That said, I don't think new standard tools for Unix machines are very common. The closest thing I can think of in the last while is `jq`, but it's not "preinstalled on your machine" kind of standard, just "my script might just use it and expect you to have it" kind of standard.
People might assume you have ripgrep, or fd, I suppose?
Ultimately, though, I think the importance of having a guarantee that the OS has the complete built-in 'swiss army chainsaw' (to borrow a Perl-ism) just isn't as high priority in the age of modern package managed, dependency graphed, fibre connected always online systems vs. big monolithic beasts that you maybe 'make install' the odd extra piece of software you heard about on usenet, once the 300 baud modem is done bleep-blooping out the source from the CVS repository. =P
That said, we do get new toys, right up to the kernel level; compression algorithms like zstd, hashing algorithms like xxhash, the slow & steady (glacial?) advance of BTRFS features...
If there is demand for something like age, you'd expect it'll filter through into the base of distros, become 'de facto standard', glom onto the kernel, etc. etc. like other stuff people find useful and want, no?
(Even if not, it's written in go, so... 'go install filippo.io/age/cmd/...@latest'? =d
Issues aside, modern lang-specific package managers make it stupidly easy to grab software these days.)
Isn't POSIX userspace mostly standardized? We should be pretty conservative with what goes into such a standard, but something like age and jq IMO meet that level of utility to justify it.
Yeah POSIX standardizes a bunch of tools, mostly the ones you'd expect (cut, cat, file, etc). I agree with the conservative standardization for the most part, but I selfishly would love these more niche tools to be available on a fresh box. Good point though, I just want to be a little lazier in my script writing I guess :)
I guess distros are the next layer over POSIX standard. Distributions have the ability to, mostly arbitrarily, select the default packages they ship in their releases.
Chicken and egg problem. People use sh/bash because it is everywhere and standard. Requires energy to justify using an objectively superior tool if it is not default installed.
I would love if I could count on Just, fish, ripgrep, or any other multitude of tools that improve upon these CLI apis that were invented ad hoc and ossified in the 70s. Paved a lot of cow paths.
Doing one thing and doing it well is all and good, but most people are not interested in having to manually mess around with up to 4 raw keys in the pursuit of that. That's particularly true if you are doing pipes and you don't have any good place to put all those keys.
This is a little vacuous. Why are you signing? Why are you encrypting? Those are different operations. What are you trying to accomplish? The biggest problem with PGP is that its most popular use cases tend to be people bodging this old clanking command line tool into cryptosystems that (a) PGP wasn't designed for and (b) purpose-built cryptosystems are much better at.
One of the reasons age is so constrained is that the problems best served by direct simple file encryption are quite narrow.
In any case I can think of, people encrypt things because they want to restrict who can know what those things are.
>Why are you signing?
In the context of encrypted files, you would sign because you want to know if an attacker has modified or more simply just replaced your file. Authenticated encryption is considered more or less standard these days.
>Those are different operations.
Except for niche applications like password storage, most people want/need authentication. Giving someone a raw encryption utility like Age is almost always going to result in a situation where that user is not protected against modification/replacement when they do asymmetrical encryption. That is assuming that they can figure out the keys for even just the encryption.
Well actually it does if the attacker does not have access to the decryption key ... which is very much the normal case. Yes, I know about "surreptitious forwarding" but I consider the idea silly in terms of usability[1].
>asymmetrical encryption is authenticated if you keep your recipient key a secret...
This is an expression of the idea that you can just keep the recipient identity (public key) away from the attacker and prevent them from creating a valid ciphertext. The fundamental issue is that this depends on a poorly specified property of the cryptography. Any protection against an attacker being able to derive the public key is merely accidental. The author of the linked article says:
>I am confident the property holds for the X25519 recipients, and that it would hold for a hypothetical Kyber768+X25519 one,...
... but provides no explicit argument to that effect. ... and then continues:
>...but it's important not to advertise it as an age-wide property.
In practice the recipient identity key will show up on the command line and/or will be kept in an unencrypted file. Age itself treats it as a potentially public value.
If you and the recipient have the ability to share and keep a secret value secret, why use asymmetrical encryption in the first place? Why not put that value in the plaintext as discussed previously in the article? The reason that there is not more research into the security of secret recipient identities is because there is no practical value in such use.
_o/ hi all, age author here! age is the one of my projects that grew most organically into an ecosystem. It's always great to see what people build with it. Happy to answer any questions.
- an official TypeScript implementation https://github.com/FiloSottile/typage (based on libsodium.js in the latest version, and on pure-js Noble libraries on main)
Age is great. I used the rust crate to write an ftp server that encrypts the files before they hit disk (specific use case is having a drop box for my network scanner) and I love the simplicity and composability it provides.
One feature request: it would be awesome to have paraphrase encryption for age private keys.
Combining Passage, pass-otp, and age into a single Go app has actually been on my personal hobby-project TODO list (but I haven't gotten around to it yet).
Integrating age plugins into this binary is not something I would do, though. Besides the fact that the plugins are separate projects with their own release schedules, they are also in different languages (plugin-yubikey is Rust, plugin-se is Swift, ...), and you would need to fork them anyway for communication. I guess you could bundle the binaries together in a package, and make sure the search path searches for the bundled binaries as a fallback.
Age is designed for a single purpose: Encryption and decryption of files. To create digital signatures use another specialized tool like minisign instead.
Specialized tools are simpler than one do-it-all tool.
> If you encrypt and then sign, an attacker can strip your signature, replace it with their own, and make it look like they encrypted the file even if they don't actually know the contents.
> If you sign and then encrypt, the recipient can decrypt the file, keep your signature, and encrypt it to a different recipient, making it look like you intended to send the file to them.
Both cases assume that the user doesn't understand what a signature means. In either case it means that the signer certified the thing signed. Are paper signatures getting so rare that we are collectively starting to forget this?
Age (and its rust implementation Rage) combined with agenix[0] and age.el[1] has made my self-hosted deployment and management so, so easy without compromising security. That, when combined with general NixOS conveniences is why I'm able to self-host at all. If not for these, just the anxiety of having to setup new server in case of whatever loss and the associated time/opportunity loss kept me from dong the same for years.
Anyway, just want to say that Age is great!
P.S. The author also did an analysis of Restic the backup tool [2] which also prompted me to setup nice backup solution for my machines. Pretty cool.
I’ve used git-crypt[0] with great success. It uses git smudge so you never commit secrets if you set it up properly the first time.
Unfortunately, it doesn’t support groups.
For a solution that scales to teams, check out SOPS[1]. You have to do a little more work to be sure that secrets are ignored in the repo but it works reasonably well and is well known.
Transparent support at the editor level (age.el) sounds really nice though.
With agenix, you can encrypt your secrets, such as API keys, and have them stored in your git repo alongside the system configuration (which in nixos is just a bunch of text files). Then you only need to provision the server with the ed25519 private key corresponding to the pubkey the files were encrypted with, and agenix will automatically decrypt the files on boot and place them in /run/agenix, with the specified access permissions.
So you still need a secret when provisioning, and you need to handle change management for that, and storing it securely outside of the git repo. And agenix did not change that workflow, or did it?
I only need to care about my SSH key(s). Which I had to anyway. But now the secrets for all the services (except SSH) lie right besides their config. Any change in one or other is directly visible in git log.
In short, age cut down on the number and types of secrets that I have to manage out of band. Which is very good. It's always easier to be able to remember 2 things (config + SSH keys) than 2+n things (config + SSH keys + whatever secret mechanism any service uses, times number of services).
So like SOPS, but specific to nix somehow? What is the advantage of the nixy integration here vs the universality of SOPS? Better native integration with NixOS?
To clarify maybe, NixOS puts all configuration and program files it handles in a world-readable object store on disk. If you want to manage secrets on NixOS securely, you have two choices:
- Manage it out of band. That negates all of the benefits of NixOS, at least for those files. (I.e. you would need additional deployment steps, rollback wouldn't work, you would have to stop and migrate system services that depend on those secrets yourself, etc.)
- Encrypt it and only decrypt it on activation (which happens when switching to a new config or on boot). agenix and nix-sops (the premier SOPS/NixOS integration) are two libraries that you can include in your config to do that. With this, the world-readable store only contains encrypted secrets.
Of course with #2 you still have to manage your private keys (age or whatever SOPS uses) out-of-band but that is significantly less work since those aren't expected to change nearly as much. You can also generally decouple that from your day-to-day deployment workflow.
I concur, that is an unfortunate side-effect. The only thing you can then do is to treat yaml as a thing that is constantly out to get you. Make all values strings and use things like > or >- to write strings without having to escape quotes, don't rely on any referencing, except for Ansible's templating itself. Do not code in yaml. Or, if you really want to, perhaps you could even write yaml like json, since json should be accepted format for yaml files.
Coming from Ansible I can understand the distrust in yaml. But I haven't seen half as much yaml weirdness in Kubernetes (and i associate age/sops with k8s). At least not since I stopped making my own helm charts.
I have been using agenix and it is very helpful. I am also looking into writing a system module that makes it easy to generate secrets on the fly.
A lot of secrets are just things like, backend and frontend of some service need to be configured with matching keys, but are both running on the same device. In that case you could have a systemd service which just generates a new random key if it doesn't already exist, and then ensure that the dependent services wait for that service to complete. That way you don't have to store anything in git for those at least.
If you make a second backup tomorrow, you'll end up with a new (huge) encrypted tar. restic handles deltas when creating a second backup, and writes new files so that tools like rsync or rclone have to do less work to upload the new data.
That said, I don't see anything strictly _wrong_ with your approach.
Use specialized backup tools! There are cryptographic constructions designed specifically for backup. You will get better backup and better encryption.
"Better backup" aside, as I understand that I'd miss out on deduplication and all the other things backup software can do like keeping track of what it has backed up etc.
"Better encryption": Can you explain why age's encryption isn't sufficient if it's recommended for encrypting files? Really want to understand how it's recommended for encrypting and sharing a file over an untrusted channel like email, but not recommended to encrypt a file and upload it to an untrusted server.
Age is good at what it does, but note that afaik you probably should almost always pair it with something like signify[1], because age doesn't have integrity/authenticity verification (by design).
Age is a much better experience than PGP/GPG, even though it only has a subset of GPG's features.
The option and argument handling is intuitive; it makes sense instantly. It gives a more grounded understanding of what's happening with the encryption process, especially because of the short-form recipient format.
Also, setting it up with a Yubikey and Passage (a GNU pass alternative for Age) was a breeze.
No, "age" is not only a preexisting word, it's one that's common as dirt.
Having the rust port be "rage" only compounds the problem.
The author's rather Italian-looking name tends to suggest that he wouldn't view a hard G as a possibility for the word "age" either (and the pronunciation link specifically goes to a synthetic Italian pronunciation of the word "aghe"...), so something else is going on.
I don't understand how the author wants to pronounce it. "ag-ay"? It's very confusing that it's an extremely common word which this program decides to pronounce differently.
> I don't understand how the author wants to pronounce it. "ag-ay"?
More or less. In the technical specifics, the English FACE vowel is a diphthong ending at a pretty high point ( https://en.wikipedia.org/wiki/Vowel#Height ), whereas the indicated pronunciation is a monophthong that should be a bit lower.
You might think of the English vowels in FACE / PRICE / CHOICE / GOAT / MOUTH as being "closed off" by a rapid upward tongue movement towards the end of their pronunciation; what the author is asking for here is a version of "FACE" that doesn't have that closure. Or, alternatively, a version of DRESS [which is already a monophthong] that uses a bit higher of a tongue position.
>Kryptor uses strong, fast, and modern cryptographic algorithms, offering post-quantum security. It also addresses security limitations of tools like age and Minisign.
>Unlike most tools, Kryptor limits metadata by using an indistinguishable from random encrypted file format. Encrypted files have no identifiable headers and are randomly padded. File names can also be encrypted.
And from their Secure section [1]:
>Private key encryption for protection at rest, unlike age.
Thanks for sharing, always happy when my projects inspire alternatives addressing different parts of the design space. Here are a few quick comments based on skimming the documentation, let me know if I misinterpreted anything.
- signing support
This has always been a non-goal for age. It makes the UX significantly more complex, but it's good if different tools have different goals.
I can't quite make out from https://www.kryptor.co.uk/specification if it does proper signcryption, sign-then-encrypt (vulnerable to signature stripping and re-signing), or encrypt-then-sign (vulnerable to decrypt-reencrypt-forward, like OpenPGP). If the latter two, it's a missed opportunity to offer more security than age+minisign can offer and I encourage the author to look into it!
As https://www.kryptor.co.uk/security-limitations#post-quantum-... acknowledges, "the asymmetric algorithms in Kryptor aren't post-quantum secure". There is support for adding a pre-shared symmetric key, although I did not find the pre-shared key in the usage section, but I would argue that is not asymmetric encryption.
In this sense, I would actually argue that Kryptor is just as post-quantum secure as age: age's symmetric encryption (the passphrase mode) is post-quantum (see https://words.filippo.io/dispatches/post-quantum-age/). We don't support adding a pre-shared symmetric key to asymmetric encryption, but if you have a secure channel to establish a pre-shared key, you should just use passphrase mode.
This is a pretty wonky topic. age as a whole is key committing (you can't make a file that decrypts with two age identities as different plaintexts, some academic researchers tried!). Our file key encryption is not (https://github.com/FiloSottile/age/commit/2194f6962c8bb3bca8...) which means that if you host an online service that accepts an age file and decrypts it with a passphrase and returns an error if it's incorrect, an attacker can do a bruteforce two passphrases at a time instead of one at a time. Given the online oracle is already unusual as a setting, I am not interested in adding complexity to solve this one.
It's not the default because most threat models don't need it: if you have FDE, who's an attacker that can read files from your disk but not replace the age binary in $PATH?
- indistinguishability from random
Not an age goal, actually we very intentionally put "age-encryption.org/v1" in the header so you can run file(1), and specify the type of the recipients to help plugins disambiguate files. The default recipient type doesn't leak any other metadata (i.e. you can't link age files encrypted to the same recipient).
Massive fan of age and congrats on its success!! On size padding, I know you've patiently listened to me before on this, but I'll always take a chance to advocate for an approach like PURBs ( https://petsymposium.org/2019/files/papers/issue4/popets-201... ).
Let's say you're in a country that suppresses certain material, like copies of the Bible, or the Hacker Manifesto, or whatever; if the authorities find an encrypted file that closely matches the size of that material; that could do you in. But maybe a more realistic case is how the size of maps tiles alone is enough to figure out where you are looking on a map (https://ioactive.com/ssl-traffic-analysis-on-google-maps/), or the size of streaming video segments (https://www.cs.cornell.edu/~shmat/shmat_usenix17.pdf) gives away what you are watching. Both real-world examples of size side-channels. It's not un-imaginable that someone could use a tool like age to build bigger systems like that, where the leaks creep in.
My age v2 note for padding says “use Padmé, see Colm’s comments” :)
I’m not really sold on the UR part of PURBs, though: age wants to avoid asking for a passphrase if the file is not passphrase encrypted, and age-plugin-yubikey wants to avoid asking for a PIN if it’s for the wrong YubiKey. These are tradeoffs and it’s not obvious the very end of the spectrum (uniform random) is the right spot.
For someone that never ever needs signing or authentication, including for ones own backups, who never has malware in their threat model, and trusts this specless tool will be maintained forever, maybe this makes sense?
Even then openssl or sq can solve the problem in the same number of commands but with sntabdards.
Most people are best off going with a modern implementation of the PGP standard, ideally via a smart card to protect you from key exfil via malware.
Tools like Keyfork, Sequoia, and/or openpgp-card-tool are almost certainly what you want for most personal signing, encryption, and authentication use cases.
You get broad compatibility with many many different tools.
> trusts this specless tool will be maintained forever
As per the third sentence of the readme there indeed is a spec[0]. There is also an alternative implementation in the form of rage[1], as well as numerous others listed on the awesome-age page[2].
Age uses standard (and modern) cryptography, and is itself standardized[1].
This is in contrast to the PGP ecosystem, which is infamously fragmented and insistent on maintaining support for insecure and home-baked schemes (e.g. 4880’s weird custom CFB mode). Sequoia has made some progress on the UX side of things, but PGP is a dead horse as far as modern, even conservative cryptographic software design goes.
> Even then openssl or sq can solve the problem in the same number of commands but with sntabdards.
Using OpenSSL to properly encrypt a file is next to impossible, and if you actually succeed at doing so, you’re very unlikely to be following a defined standard.
I do think perhaps it's too little too late - bit in contrast with age it does provide for signing and authentication as well as simple(-ish) key/certificate management.
This drives me a little nuts. There are something like 4 firms† in the world generally recognized as qualified for assessing cryptosystems, against dozens well-known and qualified to audit software but not cryptography. Cryptography is a rare specialty for software security people. How were you going to know whether an "audit" for age was meaningful?
† and, to be fair, dozens of independent practitioners
It's a good observation, but probably a bad example since that page is clear on what criteria they consider for something to be "safe".
That aside, of course DJB would choose criteria that let him label his own curve as "safe".
I'm no cryptographer so ultimately I have no choice but to rely on others' expertise, but that does not mean I take at face value the words of someone talking about their own project. Probably for the same reason HN requires disclosure when talking about something you're involved in.
Meh. The author of age is very experienced and known specifically for security, crypto and within the implementation language (Go).
Audits are only as good as the competence of the auditors and can often turn into checklist rituals. It certainly doesn’t hurt, but audits are not a panacea.
What if the author has become malicious or is being blackmailed? N+1, N+2 is a common expectation in many fields (science replication, all manner of independent audits/investigations, nuclear launch codes, etc).
Agreed, but IMHO claiming that a crypto library is secure without providing independent verification, is like claiming something is fast without providing benchmarks. (And both are the same in the sense that neither is a panacea.)
I'm only bringing up audits because such claim was made, but maybe I should have said "independent verification" instead since it's more general.
Sure, I think we agree in semantics but the wording is difficult. The bar for secure you’re referring to is quite high, a lot of commercial products that brand themselves secure would be much less secure than something like age. These days I think it’s fair to use “secure” in the sense of “made a serious effort to provide certain security properties”. It’s too hard to define, let alone agree, to what secure should mean for everyone.
> Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers. These packages are critical to virtually every Go application, securing HTTPS requests, implementing authentication, and providing encryption.
I'm no cryptographer so I might be misunderstanding how all this works (also why I have to rely on whatever signal I can catch instead of just reviewing the code myself like with other more mundane dependencies), but it was my impression that in cryptography things were to be considered with skepticism until at least someone else (emphasis on "someone else") with good enough credentials/skills had attempted to break it at least once.
Because the vast majority of new works are not done by one of the few who would be qualified to check it.
You can think of the cryptography community as similar to the math community. If some nobody makes a new proof of a big conjecture, it is considered with skepticism until some big name comes around to verify it. If Terence Tao comes out with a new proof in one of his specialities, people are going to assume it's basically correct or will have only very minor errors that are easily fixed.
